Taking the Pulse of Security Research
Security researchers and hackers are the tinkerers of the digital age; they toil among bits and bytes and occasionally come up with new, clever methods to both build and break the increasingly digital infrastructure all around us.
Today, a number of important things are happening in the world of security research that CDT is involved with:
- DMCA 1201 Hearing: The US Copyright Office is holding a hearing on the security research exemption to the anticircumvention prohibitions of Section 1201 of the Digital Millennium Copyright Act (DMCA);
- Research Report [here]: CDT’s Stan Adams and myself are releasing a research report that used qualitative interviews of security researchers and hackers to get a better feeling for “chilling effects”; analyzing the forces that can shape the work – both providing incentives and disincentives – of computer, network, and information security; and,
- Expert Statement [here]: CDT is releasing an expert statement with nearly 60 signatories expressing support for the critical nature of security research.
The Copyright Office (CO) every three years decides if certain technologies should be exempt from the DMCA’s prohibition on circumvention of access controls and, if so, under what conditions. In 2015, the CO allowed an exemption for security research on certain kinds of devices under certain specified limitations. It was a real victory at the time, and has paved the way for increased scrutiny of vehicles, medical devices, and networked consumer devices. However, the limitations imposed by the CO were quite restrictive, limiting the types of devices allowed and limiting investigations to controlled environments, solely for good faith security research, while not violating any other laws, including the Computer Fraud and Abuse Act (CFAA).
CDT and our co-petitioners, Prof. Ed Felten and Prof. J. Alex Halderman – assisted mightily by Blake Reid and the clinical law students Samuelson-Glushko Technology Law & Policy Clinic at Colorado Law – have asked the CO to remove all of these limitations. We’ve effectively asked for the exemption to be simplified to permit all forms of good-faith security research performed on software and software-controlled systems. We think this would go a long way as to removing any ambiguity that the DMCA does not and should not prohibit investigation into these systems’ protections, shortcomings, and potential mitigations. We’ll testify to that effect today at the hearing.
To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all types both contribute to a baseline level of security in our digital environment and, in turn, are shaped themselves by this environment, most notably when things they do upset others and result in threats, potential lawsuits, and prosecution. We’ve published two reports (sponsored by the Hewlett Foundation and MacArthur Foundation) about needed reforms to the law and the myriad of ways that security research directly improves people’s lives. To get a more complete picture, we wanted to talk to security researchers themselves and gauge the forces that shape their work; essentially, we wanted to “take the pulse” of the security research community.
Today, we are releasing a third report in service of this effort: “Taking the Pulse of Hacking: A Risk Basis for Security Research.” We report findings after having interviewed a set of 20 security researchers and hackers – half academic and half non-academic – about what considerations they take into account when starting new projects or engaging in new work, as well as to what extent they or their colleagues have faced threats in the past that chilled their work. The results in our report show that a wide variety of constraints shape the work they do, from technical constraints to ethical boundaries to legal concerns, including the DMCA and especially the CFAA.
What emerges from our interviews is a “risk basis” for security research; a set of activities that can be performed in more or less risky ways. For example, security researchers may engage in an activity called network scanning, which involves iterating over a set of network addresses or communication protocols (or both) to test for a given feature or collect data across a network. We learned from our interviews that security researchers using network scanning can reduce risk by giving notice in the packets they send about the nature of the current project and how a network operator could opt-out of future scans. On the other hand, scanning efforts that do not allow opting-out, or that attempt to greedily consume resources are more likely to receive a legal threat. Our paper contains a number of other examples in the areas of accessing computers, obtaining information, circumventing access controls, disclosing vulnerabilities, and testing live systems.
Finally, today we are releasing an expert statement from nearly 60 security researchers and experts that makes the case for the critical nature of security research – especially now, more than ever. The statement – signed by academic security researchers, independent security researchers, hackers, experts in security, and journalists that work in security – underlines the importance of security research to our modern digital society:
The ability of researchers to find and responsibly report vulnerabilities is more important today now that traditionally unconnected devices are being connected to the Internet and more of people’s lives are mediated by data, computation, and networking. Compromised systems and devices have been used to launch attacks all over the world. Vulnerability research, discovery, and disclosure are critical features of the modern digital society; the US National Institute of Standards and Technology has recognized in its Cybersecurity Framework that vulnerability disclosure is an important aspect of any effective cybersecurity program.
The letter closes by urging wide support for security research activities, and renounces those that would oppose these efforts. CDT believes strongly in the value of independent security research and will continue to work to achieve greater legal certainty for researchers and to promote a more robust security research community.